Die McAfee...Die.

[Fraeg]

I use Kaspersky.

 

Nothing good to say about that one.  The best thing it ever did was detect its own installer as malware and delete it.

hmm what do you use?  I haven't had any issues with Kaspersky

[Samwise]

I use AVG at home.  Admittedly I only have experience with the "enterprise" mode of Kaspersky that slaves every machine to a central server and won't let you set your own exclusions or recover quarantined files.  Its propensity to flag just about ANY executable not on your whitelist as malware and quarantine it without prompting you makes this mode... frustrating.

[Fraeg]

ahh I have the personal/home/whatever version and it doesn't have the issues that you describe in my experience.

[eldaec]

Currently have AVG because it came installed on my laptop.

But before that I used 'not downloading/opening obvious malware and updating windows occasionally ffs'. Got to say, NDOM&UWOFFS worked just fine for years.

I'm not convinced AV software is either necessary or effective in stopping viruses tbh.


I'm edgy and controversial you see.

[Lantyssa]

I'm not convinced AV software is either necessary or effective in stopping viruses tbh.

In a multi-user environment?  It makes a huge difference.  In such an environment where you can't control a good number of the machines?  A life-saver.

[bhodi]

Scan on create or modify is fine. Scan on access is not. Everyone uses scan on access, and I can't figure out why. All it does is slow the machine to a crawl for little additional protection.

[Selby]

All it does is slow the machine to a crawl for little additional protection.

Thank you!  I haven't heard a good argument yet for it.  Or those giant deep scans they do after boot-up that slow you to a crawl for 30m.  Sorry guys, if a virus is a boot-up virus it's ALREADY loaded by the time the AV program starts it's deep scan...

[Ingmar]

Scan on create or modify is fine. Scan on access is not. Everyone uses scan on access, and I can't figure out why. All it does is slow the machine to a crawl for little additional protection.

If you're not scanning on execute you might as well not be scanning at all.

EDIT: Of course if you're in an environment with no network shares or whatever you don't need it, but you can get into a heap of trouble pretty quickly accessing files on a windows share somewhere without on-access scanning.

[bhodi]

If you're not scanning on execute you might as well not be scanning at all.

Explain this. Please explain to me how a virus can get into an enterprise if all desktops are running scan on create or modify.

Then, explain to me how it isn't an extreme edge case.

Finally, explain how scanning on modify/create is equivalent to not scanning at all.

[ezrast]

you can get into a heap of trouble pretty quickly accessing files on a windows share somewhere without on-access scanning.

Or files on a CD you brought in from home, or that are already on someone's system but were only added to your AV's virus database yesterday. For home users, scanning everything all the time doesn't make much sense, but I imagine most revenue from AV comes from corporate licenses and in a large, corporate network, it sort of makes sense to be as aniseptic as possible.

Case in point, my school has used two different solutions to force students to install AV before connecting to the interwebs (one from Cisco, one from Bradford). Neither one has actually stopped me from connecting to the interwebs without AV.

[Ingmar]

If you're not scanning on execute you might as well not be scanning at all.

Explain this. Please explain to me how a virus can get into an enterprise if all desktops are running scan on create or modify.

Then, explain to me how it isn't an extreme edge case.

Finally, explain how scanning on modify/create is equivalent to not scanning at all.

Thumb drive. Guest laptop from a vendor. CD from home as ezrast mentions. There are a *lot* of paths. And if you're not scanning on access, any file run from a source like that can be executed and get itself into memory without being scanned. And then you're fucked.

EDIT: Guest machines and stuff users tote around on their thumb drives between home and work are the most common source of infections in enterprises AFAIK.

[Minvaren]

Thumb drive. Guest laptop from a vendor. CD from home as ezrast mentions. There are a *lot* of paths. And if you're not scanning on access, any file run from a source like that can be executed and get itself into memory without being scanned. And then you're fucked.

EDIT: Guest machines and stuff users tote around on their thumb drives between home and work are the most common source of infections in enterprises AFAIK.

if the virus is executed from a thumb drive or CD drive, doesn't it have to install itself somewhere to be able to survive a reboot?  One would hope that the heuristics on whatever AV protection you're running will check memory when it cleans the new copy of itself it made.

[bhodi]

Thumb drive. Guest laptop from a vendor. CD from home as ezrast mentions. There are a *lot* of paths. And if you're not scanning on access, any file run from a source like that can be executed and get itself into memory without being scanned. And then you're fucked.

EDIT: Guest machines and stuff users tote around on their thumb drives between home and work are the most common source of infections in enterprises AFAIK.

Most enterprises disable thumb drive reading these days, but that aside, you can't spread the virus and it will be picked up in a regular daily scan. Again, I'm not seeing a problem when compared with the HUGE delay and slowdown associated with tunneling your entire I/O through a virus scanner.

And, of course, the idea of scanning on modify/create is equivalent to not scanning at all is complete hyperbole.

[Ingmar]

Thumb drive. Guest laptop from a vendor. CD from home as ezrast mentions. There are a *lot* of paths. And if you're not scanning on access, any file run from a source like that can be executed and get itself into memory without being scanned. And then you're fucked.

EDIT: Guest machines and stuff users tote around on their thumb drives between home and work are the most common source of infections in enterprises AFAIK.

if the virus is executed from a thumb drive or CD drive, doesn't it have to install itself somewhere to be able to survive a reboot?  One would hope that the heuristics on whatever AV protection you're running will check memory when it cleans the new copy of itself it made.

Typically once a halfway-competent virus is running in memory, it will interfere with the virus software on the machine - I've seen this a number of times.

Thumb drive. Guest laptop from a vendor. CD from home as ezrast mentions. There are a *lot* of paths. And if you're not scanning on access, any file run from a source like that can be executed and get itself into memory without being scanned. And then you're fucked.

EDIT: Guest machines and stuff users tote around on their thumb drives between home and work are the most common source of infections in enterprises AFAIK.

Most enterprises disable thumb drive reading these days, but that aside, you can't spread the virus and it will be picked up in a regular daily scan. Again, I'm not seeing a problem when compared with the HUGE delay and slowdown associated with tunneling your entire I/O through a virus scanner.

And, of course, the idea of scanning on modify/create is equivalent to not scanning at all is complete hyperbole.

The virus not spreading beyond the one machine it infects is usually little comfort to the user who just got their machine nuked, or the IT guy who gets stuck spending hours rebuilding it. Plus there's always the risk that important data on that machine is destroyed or compromised in the process.

As long as your virus software doesn't suck (I am looking at you Symantec) for the vast majority of users the performance hit will not be noticeable. Yes, you don't want it to be running for people running certain operations that use a million little files and the like, but the more sterile the environment the better otherwise. We're running Sophos in-house now and the performance problems we saw with Symantec have completely vanished.

[KallDrexx]

Most enterprises disable thumb drive reading these days, but that aside, you can't spread the virus and it will be picked up in a regular daily scan. Again, I'm not seeing a problem when compared with the HUGE delay and slowdown associated with tunneling your entire I/O through a virus scanner.

Unless they run the virus off of the thumb drive, in which only on execute checks would find it.

[bhodi]

Typically once a halfway-competent virus is running in memory, it will interfere with the virus software on the machine - I've seen this a number of times.

And typically, 75% of viruses in the wild go right through the antivirus initially, since there are no definitions because the AV people are forever playing catch-up in a fast moving system. It's really just a false sense of security.

Unless they run the virus off of the thumb drive, in which only on execute checks would find it.

Who carries thumb drives around to large numbers of machines in your enterprise? Other than sysadmins, who if are all competent actually scan them.

Also, doesn't modern AV software automatically scan any usb drives that are plugged in anyway?

[bhodi]

The virus not spreading beyond the one machine it infects is usually little comfort to the user who just got their machine nuked, or the IT guy who gets stuck spending hours rebuilding it. Plus there's always the risk that important data on that machine is destroyed or compromised in the process.

As long as your virus software doesn't suck (I am looking at you Symantec) for the vast majority of users the performance hit will not be noticeable. Yes, you don't want it to be running for people running certain operations that use a million little files and the like, but the more sterile the environment the better otherwise. We're running Sophos in-house now and the performance problems we saw with Symantec have completely vanished.

I've never found virus software that doesn't suck. Symantec and Mcaffee are the two I've used professionally, and those two are the largest in the business, so you might as well translate that sentence into "As long as you aren't using industry standard antivurus software, the vast majority of users will not find the performance hit noticeable" which again is a ridiculous statement.

No user should ever, EVER have important data on their desktop. Ever. It should be on some type of shared drive that is backed up (and scanned!) periodically. Come on. You know this. I know this. Everyone knows this. Users have to be cajoled into following it, but it's simple risk management / disaster recovery stuff. The same goes for having a fast destop imaging procedure. Getting hit with a virus (that can't be removed) or one that trashes someone's machine, and having to do a standard flatten and reinstall, should take no more than 3 hours. Tops. Ideally, you should be able to netboot or stick a ghost/baremetal CD into the drive and restore from there.

[Ingmar]

No user should ever, EVER have important data on their desktop. Ever.

Sure, in a perfect world. I know how dumb my users are, though, so I'm going to leave that on-access scanning running.  

I'm going to stand by the statement that your average finance/sales/marketing type user isn't going to notice the little amount of overhead that our current AV solution (Sophos) takes on a modern machine. Most of them didn't even notice it from Symantec, which is much more bloated and intrusive by comparison. Yes, some guy checking 10,000 little files into or out of source control is going to have something legitimate to bitch about.

EDIT: It boils down to a philosophy issue, our company takes a 'don't trust the user/full lockdown' approach to this particular issue.

EDIT 2: If I could talk them into not trusting users with thumb drives or local admin rights, we could probably lighten up on this a little more, but...

[Samwise]

Yes, some guy checking 10,000 little files into or out of source control is going to have something legitimate to bitch about.

* Samwise waves.

[Merusk]

No user should ever, EVER have important data on their desktop. Ever.

What magical mystery world do you live in where all notebooks/ laptops have wireless access all the time to save things to the network?  Because our salespeople, builders and Realtors sure don't have that luxury.

[bhodi]

No user should ever, EVER have important data on their desktop. Ever.

What magical mystery world do you live in where all notebooks/ laptops have wireless access all the time to save things to the network?  Because our salespeople, builders and Realtors sure don't have that luxury.

Uh, a cubicle office? Where if people need to do work from home on their laptops or something, they VPN in and can access shared drives?

What happens if their laptop gets dropped? All their data is gone? Yeech.

[Merusk]

Next time you're at a stranger's house or one without utilities or on a construction site, let me know how that VPN goes.

Yes, they lose the data if they drop them. Yes, it happens. This is why they also have thumb drives.   I'm just happy some of the other office folks managed to talk the execs out of buying iPads for all of the field personnel.  That would have worked out JUST GREAT.

[bhodi]

Next time you're at a stranger's house or one without utilities or on a construction site, let me know how that VPN goes.

Yes, they lose the data if they drop them. Yes, it happens. This is why they also have thumb drives.   I'm just happy some of the other office folks managed to talk the execs out of buying iPads for all of the field personnel.  That would have worked out JUST GREAT.

Time to get a phone tethering option!

But seriously, yours is a edge case, there are far, far more offices with stationary personnel.

[Merusk]

Mine is an edge case in an industry that helped bring the economy to its knees .   I'm not sure if big commercial sites put up wireless connections or if they use 3g for their stuff.   I can't imagine biologists or anyone else working outside does the same.

[Slayerik]

I work with Neurosurgeons and some of the smartest people you'll ever meet. I still have to try to recover data off laptops because "their whole life is on there". Ok, maybe they aren't the smartest people you'll ever meet :)

The thumb drive is an awesome little backup tool. When I can't get my users to backup to their shared drives, or have too much data for there, I have them thumb it/USB hard drive it. I also warn them that the little bastards can die at any moment and to not put "your entire life on them".

For virus scanning, I personally don't use it at home, and have never been burned. It's bullshit.

[Merusk]

Anti-Virus software isn't for 90% of the people on this board.  It's for the 70% of the population that still looks at them as magic boxes and falls for basic shit like links that say www.disney.com but go to goatse.cx.   These are the majority of your users and you KNOW this.

[proudft]

Aw, your www.disney.com link actually goes to www.disney.com.  

I haven't had a virus since the days of floppy-disk swapping in, hrm, lemme think... 1990 or '91.  I did have a hard drive crash last year that totally sucked and made me actually start backing stuff up since it cost several arms and legs to recover the drive.   This old fogey was not used to hard drives just dying without even a whimper or a chuggachugga.   Well, lesson learned.

[MahrinSkel]

I think it's a rule that any links to www.disney.com have to actually link to Goatse.

--Dave (that site is actually work-safe now)

[Merusk]

Heh, board auto-linked it. I just typed in the address but no link.